make SignatureVerifyGadget conditional on the selector input

Author: arnaucube

src/backends/plonky2/primitives/signature.rs

@@ -27,6 +27,12 @@ lazy_static! {
     pub static ref PP: ProverParams = Signature::prover_params().unwrap();
     /// Signature verifier parameters
     pub static ref VP: VerifierParams = Signature::verifier_params().unwrap();
+
+    /// DUMMY_SIGNATURE is used for conditionals where we want to use a `selector` to enable or
+    /// disable signature verification.
+    pub static ref DUMMY_SIGNATURE: Signature = dummy_signature().unwrap();
+    /// DUMMY_PUBLIC_INPUTS accompanies the DUMMY_SIGNATURE.
+    pub static ref DUMMY_PUBLIC_INPUTS: Vec<F> = dummy_public_inputs().unwrap();
 }
 
 pub struct ProverParams {
@@ -38,7 +44,7 @@ pub struct ProverParams {
 pub struct VerifierParams(pub(crate) VerifierCircuitData<F, C, D>);
 
 #[derive(Clone, Debug)]
-pub struct SecretKey(Value);
+pub struct SecretKey(pub(crate) Value);
 
 #[derive(Clone, Debug)]
 pub struct PublicKey(pub(crate) Value);
@@ -114,6 +120,20 @@ impl Signature {
     }
 }
 
+fn dummy_public_inputs() -> Result<Vec<F>> {
+    let sk = SecretKey(Value::from(0));
+    let pk = sk.public_key();
+    let msg = Value::from(0);
+    let s = Value(PoseidonHash::hash_no_pad(&[pk.0 .0, msg.0].concat()).elements);
+    Ok([pk.0 .0, msg.0, s.0].concat())
+}
+
+fn dummy_signature() -> Result<Signature> {
+    let sk = SecretKey(Value::from(0));
+    let msg = Value::from(0);
+    sk.sign(msg)
+}
+
 /// The SignatureInternalCircuit implements the circuit used for the proof of
 /// the argument described at https://eprint.iacr.org/2024/1553.
 ///
@@ -183,7 +203,6 @@ pub mod tests {
 
     use super::*;
 
-    // Note: this test must be run with the `--release` flag.
     #[test]
     fn test_signature() -> Result<()> {
         let sk = SecretKey::new();
@@ -204,4 +223,14 @@ pub mod tests {
 
         Ok(())
     }
+
+    #[test]
+    fn test_dummy_signature() -> Result<()> {
+        let sk = SecretKey(Value::from(0));
+        let pk = sk.public_key();
+        let msg = Value::from(0);
+        DUMMY_SIGNATURE.clone().verify(&pk, msg)?;
+
+        Ok(())
+    }
 }

src/backends/plonky2/primitives/signature_circuit.rs

@@ -19,9 +19,9 @@ use plonky2::{
     plonk::proof::{ProofWithPublicInputs, ProofWithPublicInputsTarget},
 };
 
-use crate::backends::plonky2::basetypes::{Hash, Value, C, D, EMPTY_HASH, EMPTY_VALUE, F};
+use super::signature::{PublicKey, SecretKey, Signature, DUMMY_PUBLIC_INPUTS, DUMMY_SIGNATURE};
+use crate::backends::plonky2::basetypes::{Hash, Proof, Value, C, D, EMPTY_HASH, EMPTY_VALUE, F};
 use crate::backends::plonky2::circuits::common::{CircuitBuilderPod, ValueTarget};
-use crate::backends::plonky2::primitives::signature::{PublicKey, Signature};
 
 lazy_static! {
     /// SignatureVerifyGadget VerifierCircuitData
@@ -34,7 +34,9 @@ pub struct SignatureTarget {
     verifier_data_targ: VerifierCircuitTarget,
     selector: BoolTarget,
     pk: ValueTarget,
+    // proof of the SignatureInternalCircuit (=signature::Signature.0)
     proof: ProofWithPublicInputsTarget<D>,
+    dummy_proof: ProofWithPublicInputsTarget<D>,
 }
 
 impl SignatureVerifyGadget {
@@ -62,23 +64,29 @@ impl SignatureVerifyGadget {
             builder.add_virtual_verifier_data(common_data.config.fri_config.cap_height);
 
         let proof_targ = builder.add_virtual_proof_with_pis(&common_data);
-        builder.verify_proof::<C>(&proof_targ, &verifier_data_targ, &common_data);
+
         // NOTE: we would use the `conditional_verify_proof_or_dummy` method,
         // but since we're using the `standard_recursion_zk_config` (with zk),
-        // internally it fails to generate the `dummy_circuit`. So for the
-        // moment we use `verify_proof` (not-conditional).
-        // builder.conditionally_verify_proof_or_dummy::<C>(
-        //     selector,
-        //     &proof_targ,
-        //     &verifier_data_targ,
-        //     &common_data,
-        // )?;
+        // internally it fails to generate the `dummy_circuit`, which mentions
+        // that degree calculation could be off if zk is enabled. So we use
+        // `conditional_verify_proof` feeding in our own dummy_proof
+        // (signature::DUMMY_PROOF).
+        let dummy_proof_targ = builder.add_virtual_proof_with_pis(&common_data);
+        builder.conditionally_verify_proof::<C>(
+            selector,
+            &proof_targ,
+            &verifier_data_targ,
+            &dummy_proof_targ,
+            &verifier_data_targ,
+            &common_data,
+        );
 
         Ok(SignatureTarget {
             selector,
             proof: proof_targ,
             pk: pk_targ,
             verifier_data_targ,
+            dummy_proof: dummy_proof_targ,
         })
     }
 }
@@ -108,6 +116,14 @@ impl SignatureTarget {
             },
         )?;
 
+        pw.set_proof_with_pis_target(
+            &self.dummy_proof,
+            &ProofWithPublicInputs {
+                proof: DUMMY_SIGNATURE.0.clone(),
+                public_inputs: DUMMY_PUBLIC_INPUTS.clone(),
+            },
+        )?;
+
         pw.set_verifier_data_target(
             &self.verifier_data_targ,
             &super::signature::VP.0.verifier_only,
@@ -124,9 +140,8 @@ pub mod tests {
 
     use super::*;
 
-    // Note: this test must be run with the `--release` flag.
     #[test]
-    fn test_signature_gate() -> Result<()> {
+    fn test_signature_gadget() -> Result<()> {
         // generate a valid signature
         let sk = SecretKey::new();
         let pk = sk.public_key();
@@ -155,4 +170,54 @@ pub mod tests {
 
         Ok(())
     }
+
+    #[test]
+    fn test_signature_gadget_disabled() -> Result<()> {
+        // generate a valid signature
+        let sk = SecretKey::new();
+        let pk = sk.public_key();
+        let msg = Value::from(42);
+        let sig = sk.sign(msg)?;
+        // verification should pass
+        sig.verify(&pk, msg)?;
+
+        // replace the message, so that verifications should fail
+        let msg = Value::from(24);
+        // expect signature native verification to fail
+        let v = sig.verify(&pk, Value::from(24));
+        assert!(v.is_err(), "should fail to verify");
+
+        // circuit
+        let config = CircuitConfig::standard_recursion_zk_config();
+        let mut builder = CircuitBuilder::<F, D>::new(config);
+        let mut pw = PartialWitness::<F>::new();
+        let targets = SignatureVerifyGadget {}.eval(&mut builder)?;
+        targets.set_targets(&mut pw, true, pk.clone(), msg, sig.clone())?; // selector=true
+
+        // generate proof, and expect it to fail
+        let data = builder.build::<C>();
+        assert!(data.prove(pw).is_err()); // expect prove to fail
+
+        // build the circuit again, but now disable the selector that disables
+        // the in-circuit signature verification
+        let config = CircuitConfig::standard_recursion_zk_config();
+        let mut builder = CircuitBuilder::<F, D>::new(config);
+        let mut pw = PartialWitness::<F>::new();
+
+        let targets = SignatureVerifyGadget {}.eval(&mut builder)?;
+        targets.set_targets(&mut pw, false, pk, msg, sig)?; // selector=false
+
+        // generate & verify proof
+        let data = builder.build::<C>();
+        let proof = data.prove(pw)?;
+        data.verify(proof.clone())?;
+
+        // verify the proof with the lazy_static loaded verifier_data (S_VD)
+        S_VD.verify(ProofWithPublicInputs {
+            proof: proof.proof.clone(),
+            public_inputs: vec![],
+        })?;
+
+        Ok(())
+    }
 }